Network security

Firewall Unleashed

Introduction

Firewalls are used to control the inbound and outbound traffic on a protected network. They have an ability to block and allow the internal as well as external services within the network. Before allowing access to the service, a firewall may also force the client / user to pass through authentication. It is also used to monitor the ingoing and outgoing traffic of the protected network. Sometimes a firewall can be also used in IPSEC tunnels as a platform. It monitors security-related events.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

Packet Filtering

The packet filtering mechanism mainly contains inspection on TCP/IP and UDP packets. It also includes all ports in its inspection. In this process, certain rules are written for allowing and rejecting the packets passing through the network. The rules written in the firewall may contain TCP and UDP port numbers, source and destination addresses. One can implement firewall rules which may work in both inbound and outbound directions.

Types of Firewalls

There are basically four types of firewalls:

1. Packet Filter Firewall
2. Stateful Packet Filter Firewall
3. Circuit Level Gateway
4. Application Level Gateway

1. Packet Filter Firewall

   This firewall comes into play when an administrator wants only certain packets to enter into the protected network. In this case, each packet will be monitored and inspected before passing through the network, and after monitoring and inspecting, the firewall will decide whether to let it pass or not.

   

Figure : Packet Filtering Firewall Location

There are two types of packet filter mechanisms:

1. Stateful Packet Filtering

   This type of firewalls is known as a smart / clever firewall. If the firewall remembers the packets it allowed and blocked in the network, then it is known as stateful packet filtering. Sometimes it is also called a dynamic packet process.

2. Stateless Packet Filtering

   In this case, information about all those previous packets passed through the networks is not being remembered by a firewall. This type of firewall can be bypassed and easily fooled by attackers, and is especially dangerous for UDP data packets. This firewall will never come to know whether the given packet is a part of existing connection or any rough useless packet, because it isolates each and every packet.

3. Stateful Filter Firewall

   I have already mentioned the stateful packet filtering process in the above section. Additionally, this type of firewall keeps a track record of TCP streams to inspect each and every packet passing through and in and out of the network. Generally this type of firewall is only constructed to inspect packets which are coming in only one direction, from client to server. There is an automatic process which handles counter requests (replies) going from server to client. It has an ability to support a wider range of protocols such as IRC, FTP, etc...

   Example: FTP Inspection

   

Figure : FTP Inspection Architecture

Example:

First, the client sends an FTP request to the server, and the firewall will store the connection state. Then the server will give the server port to the client in order to tell the client that we will be using this 2050 port (as mentioned in above pic). Then it checks for the state of connection such as SYN, ACK, etc. If everything is right and legitimate, then the server establishes the connection and starts transferring the data by keeping in mind that packets should not be lost.

1. Circuit Level Gateway

   This is a type of firewall within the session layer. It checks the legitimacy of the TCP handshake between packets in order to check if the established session is legitimate or not. The problem with circuit level gateway is, they do not provide cleaning of entity packets. Due to this, private networks have an advantage and it is that they can hide their network information. Here individual packets will not be filtered. SOCKS are commonly used in this type of firewall.

   

Figure : Circuit Level Gateway Architecture

Here TCP/IP packets will be accepted by the firewall. There is identical specification of the rules such as packet filter firewalls. Adding to that, several rules can state which connections will be allowed and which connections should be not allowed. An allowed connection (via rules) will create a new fresh connection with the server.

1. Application-Level Gateway

   Application-level gateway contains security components such as a firewall. As per its name, sometimes it is also denoted as ALG (application-level gateway). Here the client connects to the server using any TCP/IP application such as FTP or Telnet. Then the name of the remote host is needed from the user to access it. The gateway also relays the TCP segment which has some information of application data between client and server.

   

Figure : Application layer proxy firewall flow scenario

Here the client and server both will connect to the proxies instead of connecting directly. So if the proxy finds any suspicious file or activity on their network, it will drop that connection. This firewall is made to handle complex protocols such as SIP, H.323, etc. Here packets are received and also processed by the server. The client generates new packets every time.

Types of Policies

There are two types of policies in these types of firewalls.

1. Permissive: Generally it allows all packets to pass through the network using relative ports and block just some packets, such as IRC, TELNET, SNMP, etc. If you forget to block something, then it can cause a vulnerable network.

1. Restrictive: By default it blocks
   all packets and allows some packets to pass through the network using certain ports and allows HTTP/s, SSH, SMTP, POP3 etc. This policy is secure, compared to the permissive one. Here if you forget to allow any port, someone will complain to you and you can allow that port; on the other hand, in permissive policy, if ports are open without you knowing, then no one will complain or tell you.

Netfilter/IPtables

Netfilter.org is home of the packet filtering framework for Linux kernels starting from 2.4.x and later. Software within that framework is known as Iptables. All incoming packets passing through the routing engine determines whether it should be allowed to deliver to the client or not. Using iptables, you can create your own firewall based on your rules. Netfilter has three tables:

Filter – Contains INPUT, FORWARD & OUTPUT chains.

NAT – Contains the rule for source/destination address along with port translation.

Mangle - Contains rules for specialized packet routing flag.

Syntax

#iptables < option >< chain >< matching_criteria>< target >

Features

It provides stateless and stateful packet filtering for both IPv4 and IPv6.

It provides each and every kind of port translation in both IPv4 and IPv6.

Creating Basic Firewall Using Iptables And Testing It Simultaneously

Challenge: Create a firewall for a university/college in which they want their SSH port to be open so students can work in the university's virtual Linux environment. They specifically want to block the icmp echo packets coming to their server. Also allow all these ports on networks such as 80, 443, 21 & 20. The university also wants packets containing SYN & FIN flag to be allowed, and the rest of them must be blocked over the Internet. The network also must allow traffic on the loopback device which will be localhost/127.0.0.1

Solution:

Before you start configuring your firewall, you need to make sure that iptables/netfilters is installed on your Linux environment. Generally it is there, if it is not there then you can download it from this website.

Download iptables/Netfilter: http://www.netfilter.org/downloads.html

If there is an iptables running on your machine, it means it will have some rules by default. If you want to see that which rules are currently set to which option, you can run the below command.

#iptables -L

So it shows that currently the input and forward chain's values are set as DROP and output chain's value has been set to ACCEPT.

One should keep a practice that if he/she is going to create a new firewall, he/she needs to flush all previous/old rules which are previously set. To clear all those rules, you need to give this command.

#iptables –F or #iptables --flush

It will flush/remove/clear/delete all the previous rules set in the firewall. Now we are in a position to create a new firewall with our custom rules to address the given challenge.

In reading our challenge, one thing is sure: that our primary policy set will be in such a way that our input chain policy will be set to DROP in order to drop all the packets initially at the firewall level so that they don't come inside the network, and then we will set different packets to let them come inside our network. So our input chain's policy value will be set to DROP along with forward policy value. And we will set the output policy value as ACCEPT, as there won't be any harm if some packets are going from the network to the outside world on the Internet. So here are those terminal commands.

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

The first two commands are easily understandable: we are dropping each and every incoming packet and we are allowing every outgoing packet. We use the forward policy to route the packets within the LAN. So if you want to allow that scenario, set the value of that policy as ACCEPT. In our case they have not mentioned anything, so we will block it for this moment.

Now the second thing to do is to allow the traffic which establishes new sessions. In order to do that, we can give the below command.

#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Here I am going to describe some options used in this command which will remain constant throughout this example. Option –A stands for append. Its work is to append the given rule to the relevant rule chain. Here our rule chain is INPUT. The –m option is used for matching. Here it is matching our different state with the live traffic and if it finds anything, it applies the policy on that. Lastly, the -j option tells exactly what to do with the packet which is matched and found by the firewall.

For the jump, there are some targets such as ACCEPT & DROP. As you know, ACCEPT will allow that packet to come inside the network through the firewall and DROP will simply drop the packet. When you give this command to the terminal, and if you set the policy using the iptables –L command, you will see the below result.

I have given the below command to print "Starting New firewall":

#echo "Starting New firewall"

Moving forward, now we need to open the SSH port whose port number is 22. So basically students of the university/college can play in their virtual Linux box via port number 22 (SSH) by sitting anywhere. Here is a command for that:

#iptables -A INPUT -i eth1 -p tcp --dport 22 -d 192.168.150.136 -j ACCEPT

Here we have two new options which are –i and –p. The "-i" stands for interface declaration. It may be possible that the university has more than one interface, so set which interface you want to apply these rules. According to the challenge, they want to apply these rules on their eth1 interface.

The "-p" option is used to define the protocol such as tcp and udp. Here we are defining our SSH port, so we will use the tcp option and last but not least we will use the "-dport" option, which stands for destination port. In our case, we are working on SSH and the port number of SSH is 22. So we will define dport value as 22.

The "-d" option is used for the destination IP address. We mentioned it in our command. When you set this policy through your terminal and then you list the result, it will look something like this:

Testing SSH with ACCEPT and DROP Value Set

Value set ACCEPT:

Value set DROP:

Now it is time to configure all ports mentioned in our challenge. We will form a group of two. First we will accept all those packets which are coming through http and https. The command for that is shown below.

#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT

All the options are mentioned. The only difference is that in dport value we give 80 which stands for http and 443 which stands for https. We will not be testing each and every policy we set in our firewall. We will test only some of those major ones. After running the above commands in your terminal, when you list the rules it will look something like this:

Now we are going to allow loopback traffic on the localhost which will be l0/127.0.0.1. Here we will allow both inbound and outbound traffic in loopback. The command for that is shown below.

#iptables -A INPUT -i l0 -p all -j ACCEPT
#iptables -A OUTPUT -o l0 -p all -j ACCEPT

As you can assume, we have set our interface value of the loopback device which is l0/127.0.0.1. On top of that we are allowing all ports to communicate with this device. After you set this result, when you list the rules it will look something like this:

You can see that entries are increasing at the down side as we are setting our each and every rule. Now we will allow port 21 & 20 to communicate with our network. The command for that is:

#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp --dport 20 -j ACCEPT

After applying these rules to the terminal, list the firewall policy. It will look like this:

Moving forward, the university specifically wants to block all icmp echo packets coming to their server. To do that, here is the command:

#iptables -A INPUT -p icmp -d 192.168.150.136 --icmp-type 8 -j DROP

Here we have defined the destination IP address where we want to block/DROP all icmp echo packets. Icmp has some number types starting from 0 to 41-255 and each number has some meaning, for example number 8 stands for echo. If you want to know more about that, refer to RFC792. List the rules after setting this latest icmp policy.

Value set ACCEPT: Reply from the server is coming.

Value set DROP: Server won't respond anymore.

Finally, at last, the university wants to accept the packets coming on the network which contains SYN and FIN flags only. It means the rest of the all packets containing flags such as RST, PSH, ACK & URG must be blocked. I could only give two commands in order to show that only packets containing SYN and FIN flags should come through, though I have typed all commands in order to have a close look if you want to use them in the future, and then you can uncomment and change them according to your needs.

So here are the commands for that:

iptables -A INPUT -m tcp -p tcp --tcp-flags ALL SYN -j ACCEPT

iptables -A INPUT -m tcp -p tcp --tcp-flags ALL FIN -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL RST -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL PSH -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL ACK -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL URG -j ACCEPT

I have executed first two commands and the rest of those are in the comment. So in the first two commands it shows that they have loaded first all flags by defining ALL and then they just want SYN and FIN to enter via packet into the network. So when you list the rules it will look like this:

So in the last two commands it tells us that it is showing that total tcp flags are FIN, SYN, RST, PSH, ACK & URG, but from all of them you need to accept the packets which only contains SYN and FIN flags. So here is the testing for that. For testing purpose I am using hping3 utility in KALI Linux.

To write all these commands in the terminal is a very tedious thing. It is better to write a script for this. To create a script, you will need to go to the /sbin/ folder and then you create any file with a touch command. In my case it's a ccc.sh file, so the command would be like this:

#touch ccc.sh

Then you open that file with your favorite editor and write all the following code in that. Before you start writing all the rules, you must define the below:

#!/bin/bash

This command will identify that it's a bash script. Otherwise it won't recognize anything written in that file. So your final code would be like this:

#!/bin/bash

echo "Starting New firewall"

#Flushing old firewall rules

iptables -F

#standard Firewall rules for INPUT OUTPUT and FORWARD

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

#Allowing 3-way handshake
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allowing SSH server
iptables -A INPUT -i eth0 -p tcp --dport 22 -d 192.168.150.136 -j ACCEPT

#Allow HTTP HTTPS - 80,443

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#Allowing Loopback traffic(Input and Output both) - l0

iptables -A INPUT -i l0 -p all -j ACCEPT

iptables -A OUTPUT -o l0 -p all -j ACCEPT

#Allow FTP - 21 20

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 20 -j ACCEPT

#Blocking IMCP packets
iptables -A INPUT -p icmp -d 192.168.150.136 --icmp-type 8 -j DROP

#Blocking Packets with all tcp flags

iptables -A INPUT -m tcp -p tcp --tcp-flags ALL SYN -j ACCEPT

iptables -A INPUT -m tcp -p tcp --tcp-flags ALL FIN -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL RST -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL PSH -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL ACK -j ACCEPT

#iptables -A INPUT -m tcp -p tcp --tcp-flags ALL URG -j ACCEPT

#Listing the Set Rules

iptables -L

Now you run that file by simply typing ./ccc.sh in the terminal. In case it does not work, then you need to set the permission to that file by simply typing chmod 777 ccc. sh and then it will surely run.

FILL OUT THE FORM BELOW TO DOWNLOAD THE FIREWALL FILE WHICH IS A BASH SCRIPT. YOU WILL NEED TO PUT IT IN CENTOS AND FOLLOW THOSE PERMISSION COMMANDS, WHICH I SHOWED YOU EARLIER IN THIS TUTORIAL. THUS YOU WILL BE ABLE TO CONFIGURE YOUR DESIRED FIREWALL.

Conclusion

You have come to know how we can build our custom firewall in order to protect our network. It is very much cost effective and easy to setup your own. Also it has hybrid modules, function & features. It is also a best practice for network administrators to play with the firewall.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

References

1. http://securityworld.worldiswelcome.com/packet-filtering-firewall-an-introduction
2. http://www.checkpoint.com/smb/help/z100g/7.5/7082.htm
3. http://aeriqusyairi.com/2013/08/13/packet-filtering-firewalls/
4. https://en.wikipedia.org/wiki/Circuit-Level_Gateway
5. http://zapidi888.blogspot.co.uk/2009/10/lecture-8-firewall.html
6. http://myitweb.weebly.com/application-level-gateway.html
7. http://www.linuxjournal.com/article/7296
8. http://my.safaribooksonline.com/book/networking/firewalls/0672327716/iptables-the-linux-firewall-administration-program/ch03lev1sec4
9. http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html
10. https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TARGETS
11. http://www.nthelp.com/icmp.html